DGA - rdpb.go.th¸ปร.pdf · Organization)”เรียกโดยย่อว่า“DGA”ภายใต้การก ากับดูแลของนายกรัฐมนตรี
Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA...
Transcript of Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA...
![Page 1: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/1.jpg)
Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding
Vikash YadavData Scientist, Royal Bank of Canada
![Page 2: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/2.jpg)
Content
Problem
• Malware Life Cycle• Domain Generation Algorithm
Existing Solution
• Traditional Approaches• Machine Learning Approaches
RNN model
• Recurrent Neural Network based detecting technique• Unified Architecture
Enhancement
• Separate Embedding Model• Improvement in detecting unknown DGA
2
![Page 3: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/3.jpg)
Problem
• Malware Life Cycle• Domain Generation Algorithm
Existing Solution
• Traditional Approaches• Machine Learning Approaches
RNN model
• Recurrent Neural Network based detecting technique• Unified Architecture
Enhancement
• Separate Embedding Model• Improvement in detecting unknown DGA
3
![Page 4: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/4.jpg)
Life Cycle of a Malware
Initial CompromiseSuccessful
connection to Command & Control
Receive instruction to carry out
malicious activities
4
![Page 5: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/5.jpg)
Life Cycle of a Malware
Initial CompromiseSuccessful
connection to Command & Control
Receive instruction to carry out
malicious activities
5
![Page 6: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/6.jpg)
Domain Generation Algorithm (DGA)• DGA uses a seed
value and/or time-dependent element to avoid command and control domains or IPs being seized or sinkhole
6
Credit: Wikipedia
![Page 7: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/7.jpg)
Problem
• Malware Life Cycle• Domain Generation Algorithm
Existing Solution
• Traditional Approaches• Machine Learning Approaches
RNN model
• Recurrent Neural Network based detecting technique• Unified Architecture
Enhancement
• Separate Embedding Model• Improvement in detecting unknown DGAs
7
![Page 8: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/8.jpg)
Stopping DGA Malware – traditional approach
• Reverse engineer the binary to identify the DGA
• Blacklist the domain name and IP address of C2 server
• Sinkhole the C2 communication by registering the domain in advance
8
![Page 9: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/9.jpg)
Stopping DGA Malware – traditional approach
• Reactive
• Time consuming
• Not scalable
9
![Page 10: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/10.jpg)
Stopping DGA Malware – ML based approach
• NXDOMAIN DNS request based detection
• ML approach using handcrafted features
• RNN based detection
10
![Page 11: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/11.jpg)
NXDOMAIN DNS request based detection
• DGA generates a large number of domains of which only a select few are registered to host a C2 server• A client making
requests to a large number of NXDomainsis potentially hosting a DGA malware
11
Credit: Detecting DGA domains with recurrent neural networks and side information
![Page 12: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/12.jpg)
ML approach using handcrafted features
• Entropy, Length of the domain etc.• Number of vowels vs consonants in the
domain• Periodicity of the request• Popularity of the domain• Total byte sent and received
1212
![Page 13: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/13.jpg)
RNN based detection
• No explicit feature engineering required• Proactive• Easy to build and deploy• Easy to retrain outdated models• Highly scalable• Highly accurate
13
![Page 14: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/14.jpg)
Problem
• Malware Life Cycle• Domain Generation Algorithm
Existing Solution
• Traditional Approaches• Machine Learning Approaches
RNN model
• Recurrent Neural Network based detecting technique• Unified Architecture
Enhancement
• Separate Embedding Model• Improvement in detecting unknown DGAs
14
![Page 15: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/15.jpg)
Unified RNN Model Architecture
Input OutputEmbedding Layer
RNNLSTMLayer
15
![Page 16: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/16.jpg)
Dataset for RNN model
Benign Domains• Alexa top million domains• Cisco top million domains• ~1.8 million unique domains
o google.como youtube.como facebook.como baidu.como wikipedia.orgo yahoo.com
DGA Domains• http://data.netlab.360.com/dga/#virut
• ~1.1 million unique domains
o ydqtkptuwsa.orgo bnnkqwzmy.bizo glrmwqh.neto ibymtpyd.infoo bxyozfikd.wso nvjwoofansjbh.ru
Input OutputEmbedding Layer
RNNLSTMLayer
16
![Page 17: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/17.jpg)
Character Embedding
google.com
39 47 47 39 44 37 12 35 47 45
000..
39 47 47 39 44 37 12 35 47 45
EmbeddingLayer
0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 0
.
.
.-0.57 -0.01 0.51 2.95 1.4 1.03 1.24 0.04-1.09 0.95 0.29 0.61 -0.72 1.67 1.38 -0.96-1.09 0.95 0.29 0.61 -0.72 1.67 1.38 -0.96-0.57 -0.01 0.51 2.95 1.4 1.03 1.24 0.040.48 -0.82 0.49 -1.06 0.8 0.83 -2.97 -0.35-0.51 -0.16 -0.9 -1.65 -0.2 0.6 0.34 0.940.27 0.4 -2 0.12 2.09 -2.12 2.38 -1.40.3 -0.3 2.02 1.68 -0.98 0.63 0.19 1.36
-1.09 0.95 0.29 0.61 -0.72 1.67 1.38 -0.96-2.02 -1.69 -0.46 0.26 1.97 0.58 -0.16 -0.45
Input OutputEmbedding Layer
RNNLSTMLayer
17
![Page 18: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/18.jpg)
Recurrent Neural Network Input OutputEmbedding Layer
RNNLSTMLayer
18
![Page 19: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/19.jpg)
Recurrent Neural Network
I grew up in France … I speak fluent ?
Input OutputEmbedding Layer
RNNLSTMLayer
19
![Page 20: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/20.jpg)
Recurrent Neural Network
I grew up in France … I speak fluent French?
Input OutputEmbedding Layer
RNNLSTMLayer
20
![Page 21: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/21.jpg)
Long Short-Term Memory Input OutputEmbedding Layer
RNNLSTMLayer
21
![Page 22: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/22.jpg)
Unified RNN Model Architecture
Input Domain
1D integer
sequence of fixed length
Embedding Layer, Output Dimension=8
Bidirectional LSTM Layer
(256)
OutputSigmoid
22
![Page 23: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/23.jpg)
Result
Test Accuracy for known DGA types
Label Record Count Unified Model Accuracy
F score
Benign 750153 0.99460.9874
Malicious 415976 0.9845
Very high accuracy for detecting known DGA types
23
![Page 24: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/24.jpg)
Result
Detection Accuracy for unknown DGA types –
Label Record Count Unified Model Accuracy
Sample
chinad 1000 0.996000 qowhi81jvoid4j0m.biz29cqdf6obnq462yv.com
ramnit 15080 0.718899 jrkaxdlkvhgsiyknhw.commtsoexdphaqliva.com
shifu 2554 0.438919 urkaelt.inforsymdhk.info
24
![Page 25: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/25.jpg)
Limitation
• Accuracy suffers for unknown DGA type
• Possible overfitting to training data
• Embedding representation is specific to the training data and is not representative of English language
25
![Page 26: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/26.jpg)
Problem
• Malware Life Cycle• Domain Generation Algorithm
Existing Solution
• Traditional Approaches• Machine Learning Approaches
RNN model
• Recurrent Neural Network based detecting technique• Unified Architecture
Enhancement
• Separate Embedding Model• Improvement in detecting unknown DGAs
26
![Page 27: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/27.jpg)
Training Separate Character Embedding Model• Learn embedding representation to capture the
contextual information of the English language by training on articles from popular US newspapers
• Use this general representation to transform domain names
• The error is calculated based on the model’s ability to predict the next character in the sequence
27
![Page 28: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/28.jpg)
Learning Character Embedding
Input
1D integer sequence of fixed length
Embedding Layer, Output Dimension=8
Bidirectional LSTM Layer
(256)
OutputSigmoid
Bidirectional LSTM Layer
(256)
Embedding Layer, Output Dimension=8
28
![Page 29: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/29.jpg)
Separate Character Embedding based RNN Model Architecture
Input Domain
1D integer
sequence of fixed length
Pre-trainedEmbedding
Layer, Output Dimension=8
Bidirectional LSTM Layer
(256)
OutputSigmoid
29
![Page 30: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/30.jpg)
Result
Test Accuracy for known DGA types
Label Record Count Unified Model Accuracy
Benign 750153 0.9946Malicious 415976 0.9845
30
![Page 31: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/31.jpg)
Result
Test Accuracy for known DGA types
Label Record Count Unified Model Accuracy
Separate Embedding Model Accuracy
F ScoreEmbedding Model
Benign 750153 0.9946 0.99220.9875
Malicious 415976 0.9845 0.9889
31
![Page 32: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/32.jpg)
Result
32
Label Record Count
Unified Model Accuracy
chinad 1000 0.996000
ramnit 15080 0.718899
shifu 2554 0.438919
Detection Accuracy for unknown DGA types –
![Page 33: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/33.jpg)
Result
Label Record Count
Unified Model Accuracy
Separate Embedding Model Accuracy % Increase
chinad 1000 0.996000 0.998000 0.2
ramnit 15080 0.718899 0.768833 5.0
shifu 2554 0.438919 0.831245 39.23
33
Detection Accuracy for unknown DGA types –
![Page 34: Enhancing Deep Learning DGA Detection Models Using ... COMM… · Enhancing Deep Learning DGA Detection Models Using Separate Character Embedding Vikash Yadav Data Scientist, Royal](https://reader033.fdocuments.us/reader033/viewer/2022042806/5f6dd64078e57d13e40c86ec/html5/thumbnails/34.jpg)
Wrapping Up
• LSTM based RNNs are highly effective in detecting DGA
• Our proposed changes can improve detection accuracy for unknown DGA malware
• RNN based detection is proactive rather than reactive
34